You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Marc Slemko <ma...@znep.com> on 2000/02/21 19:50:03 UTC
Re: mod_log-any/5747 (fwd)
The following reply was made to PR mod_log-any/5747; it has been noted by GNATS.
From: Marc Slemko <ma...@znep.com>
To: Apache bugs database <ap...@apache.org>
Cc:
Subject: Re: mod_log-any/5747 (fwd)
Date: Mon, 21 Feb 2000 11:41:17 -0700 (MST)
---------- Forwarded message ----------
Date: Sat, 12 Feb 2000 15:57:25 -0500 (EST)
From: TTSG <tt...@ttsg.com>
To: Marc Slemko <ma...@znep.com>
Subject: Re: mod_log-any/5747
>
> Sorry, I think you had better look again. The client doesn't send it,
> period. If it did sent it in some cases, then that would be a major
> security hole and should be fixed in the client. As it is, allowing this
> to be specified in the URL is a security hole and should never have been
> implemented by browsers. The way it is implemented is a hack that only
> partially works and has numerous problems.
>
From a Netscape server log :
format=%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] "%Req->reqpb.clf-re
uest%" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length% "%Req->headers.r
ferer%" "%Req->headers.user-agent%"
208.33.224.36 - - [12/Feb/2000:12:54:27 -0800] "GET /protected/news2.htm HTTP/1.
0" 401 223 "http://furer:deg6@207.87.7.16/mea1x.htm" "Mozilla/4.03 [en] (Win95;
I)"
Tuc/TTSG